Re: man in the middle

"Shenan Stanley" <newshelper@xxxxxxxxx> wrote in message news:OJfVl4fiIHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Entire Conversation:
http://groups.google.com/group/microsoft.public.security/browse_frm/thread/9914c00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76



Kerry Brown wrote:
It sounds like your router may have been compromised.

Unplug one of your computers from the router. Do a clean install of
Windows on this computer making sure you delete all partitions then
recreate them during the install. Leave this computer unplugged
from the router. Don't worry about updating it just yet. On a
different computer download the latest firmware for your router.
Burn this file to a CD or copy it to a flash drive. Make sure there
are no other files on the CD or flash drive. Unplug all of the
computers from the router. Unplug the router from the Internet.
Reset the router to the factory defaults. Plug in the computer with
the fresh Windows install. Use it to flash the router with the
downloaded firmware. Reset the router again. Set a password for the
admin account. Plug the router back in to the Internet and update
this computer. Do not plug in any of the other computers until they
have been wiped clean and a fresh install of Windows done.
The key is to flash the router with a clean computer then set a
password on the router before reconnecting to the Internet.

BoaterDave wrote:
I feel there is much merit in what you say. FYI I did raise this
topic here
http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
before I became persona non grata at AumHa.
Are you aware of any way to check whether or not a router has been
compromised - *before* one follows the procedure you have outlined.
I should be interested to learn more about this subject. Do you (or
anyone else reading here) have any pointers as to where to begin?

I found this item which I found interesting - others may too:-
http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026

A fairly recent news item here, too:
http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html

While I know of no way to find out if a router has been compromised - if there is even one ounce of suspicion that it could have been compromised - it would be better to reset the router to defaults, set a new password (strong one) on it, leave remote management turned off, make sure wireless (if a feature of said router) is using WPA or WPA2 at least for security, etc.

What makes that even better is doing that 'offline' - the router does not need a Internet connection for any of that.

In this particular case (that where the original poster seems to have been targeted in some way - or overlooking some part of re-securing their entire system (not just the computer)) - the advice is spot-on in my opinion. Start from the first piece of equipment you can control and work your way through to the last - keeping them all 'offline' until you have changed the setup on all of them and secured them to the best of your ability.



There's currently two exploits for routers I know of. They both change the DNS servers the router uses to compromised DNS servers. This means whatever url you type in isn't necessarily where you end up. They can use the compromised DNS servers to send you wherever they want. You type in www.google.com and end up at some malware site that tries every trick in the book to get more malware on your computer or more likely a site that is full of advertising where you are enticed to click on ad links while trying to get to where you wanted to go in the first place. It's a vicious circle. Every legitimate site you try to go to you're redirected to a non-legitimate site. They can even let you get to legitimate online AV sites to scan the computer. Because the router is compromised, not the computer, all the AV scans come up negative. The original trojan that compromised the router has long since erased itself.

One exploit is a trojan that probes common IP addresses for a router. If it finds one it takes advantage of the fact that most people never set a password on the router and reprograms the DNS settings. The trojan tries a few common passwords as well as no password. Setting a strong password on the router admin account stops this exploit.

The other exploit uses a flaw in some older versions of Flash to change the router's DNS settings via uPNP. All they have to do is trick you into watching an infected Flash video. You go to what looks like a normal website with some streaming video. While watching the video your router is reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router stops this exploit.

Doing a hard reset of the router is probably enough to fix a changed DNS setting. I have seen a couple of cases on networks that had highly compromised computers where someone or something had tried to flash the router unsuccessfully and the router was toast. This tells me there may be an exploit that tries to flash a router. That's why I recommended flashing the router.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



.

Quantcast